e User Account 
e User account naming convention 
e User account user IDs 
e User password policies — 
chage -l username 
chage —help 
/etc/shadow 
vi /etc/login.defs 
e Disable old password 
cd /etc/pam.d/system-auth 
e User or service account files and directories permission 


e Remove un-wanted packages 


e Install what you need 
e Remove packages no longer in use 


¢ Stop un-used Services 


e List all running services 
systemctl (List only running service) 
systemctl —a (List every service running or not) 
telnet, ftp, NFS etc. 
e Check on Listening Ports 


e netstat -tunlp 


e Secure SSH Configuration 


e Disable direct root login 
e Change SSH port 
+ — Enable Firewall (iptables/firewalld) 


e Older version = iptables 


e New version = firewalld 
firewall-config (GUI) 
firewall-cmd 
iptables 
older version = /etc/sysconfig/iptables—config 
new version = /etc/firewalld/ 
e Enable SELinux 
Security-Enhanced Linux (SELinux) is a security architecture integrated into the 2.6.x kernel 
using the Linux Security Modules (LSM). It is a project of the United States National Security 
Agency (NSA) and the SELinux community. SELinux integration into Red Hat Enterprise Linux 


was a joint effort between the NSA and Red Hat. 


SELinux defines the access and transition rights of every user, application, process, and file on 


the system 


/etc/sysconfig/selinux 

enforcing — The SELinux security policy is enforced. 

permissive — The SELinux system prints warnings but does not enforce policy. 

This is useful for debugging and troubleshooting purposes. 

disabled — SELinux is fully disabled. SELinux hooks are disengaged from the kernel and the 


pseudo-file system is unregistered. 


Commands = sestatus 
Find status of a file = stat filename 
Other commands = chcon, checkpolicy, newrole, getsebool, setsebool, fixfiles, semanage 


Documentation attached within the hand-out section 


e Change Listening Services Port Numbers 


e Keep your OS up to date (patching) 


